openclaw-vaultCredential lifecycle security for agent workspaces. Audit credential exposure, detect misconfigured permissions, inventory all secrets, and identify stale credentials needing rotation. Free alert layer — upgrade to openclaw-vault-pro for automated remediation, credential rotation, and access control.
Install via ClawdBot CLI:
clawdbot install AtlasPA/openclaw-vaultProtects your credential lifecycle — not just finding secrets in source code (that's what Sentry does), but tracking how credentials are exposed through services, permissions, history, configs, containers, and time.
Credentials don't just leak through source code. They leak through:
.bash_historyThis skill watches the full credential lifecycle. Sentry finds secrets in files. Vault finds secrets that are exposed.
Comprehensive credential exposure audit: permission checks, shell history, git config, config file scanning, log file scanning, gitignore coverage, and staleness detection.
python3 {baseDir}/scripts/vault.py audit --workspace /path/to/workspaceDetect credential exposure vectors: misconfigured permissions, public directory exposure, git history risks, Docker credential embedding, shell alias leaks, and URL query parameter credentials in code.
python3 {baseDir}/scripts/vault.py exposure --workspace /path/to/workspaceBuild a structured inventory of all credential files in the workspace. Categorizes by type (API key, database URI, token, certificate, SSH key, password), tracks age, and flags stale or exposed credentials.
python3 {baseDir}/scripts/vault.py inventory --workspace /path/to/workspaceOne-line summary: credential count, exposure count, staleness warnings.
python3 {baseDir}/scripts/vault.py status --workspace /path/to/workspaceIf --workspace is omitted, the script tries:
OPENCLAW_WORKSPACE environment variable~/.openclaw/workspace (default)| Category | Details |
|----------|---------|
| Permissions | .env files with world-readable or group-readable permissions |
| Shell History | Credentials in .bash_history, .zsh_history, .python_history, etc. |
| Git Config | Credentials embedded in git remote URLs, plaintext credential helpers |
| Config Files | Hardcoded secrets in JSON, YAML, TOML, INI config files |
| Log Files | Credentials accidentally logged in .log files |
| Gitignore | Missing patterns for .env, .pem, .key, credentials.json, etc. |
| Staleness | Credential files older than 90 days that may need rotation |
| Public Dirs | Credential files in public/, static/, www/, dist/, build/ |
| Git History | Credential files in git repos that may be committed |
| Docker | Secrets hardcoded in Dockerfile and docker-compose configs |
| Shell RC | Credentials in .bashrc, .zshrc, .profile aliases |
| URL Params | API keys/tokens passed in URL query strings in code |
0 — Clean, no issues1 — Warnings detected (review needed)2 — Critical exposure detected (action needed)Python standard library only. No pip install. No network calls. Everything runs locally.
Works with OpenClaw, Claude Code, Cursor, and any tool using the Agent Skills specification.
Generated Mar 1, 2026
DevOps teams can use OpenClaw Vault to perform comprehensive credential audits before production deployments. It identifies exposed credentials in configuration files, Docker images, and shell history that traditional source code scanners might miss, helping prevent credential leaks in CI/CD pipelines.
Organizations preparing for SOC 2, ISO 27001, or HIPAA audits can use this skill to demonstrate credential management controls. It provides evidence of regular credential inventory checks, exposure detection, and stale credential identification required by security frameworks.
During mergers and acquisitions, security teams can run credential exposure checks on target company codebases and systems. This helps identify hidden credential risks in git history, misconfigured permissions, and hardcoded secrets that could pose post-acquisition security threats.
New developers can run quick status checks on their local development environments to identify credential exposure risks. This helps catch personal credential leaks in shell history, git config, and local config files before they become security incidents.
Security teams can audit Docker configurations and container images for embedded credentials. The skill detects secrets hardcoded in Dockerfiles and docker-compose files, helping prevent credential exposure in containerized deployments across cloud environments.
Consulting firms can offer credential exposure audits as a service using OpenClaw Vault. They can charge per audit or through retainer agreements, providing detailed reports on credential risks with actionable remediation steps for clients.
Security platform companies can integrate OpenClaw Vault into their existing products as a credential lifecycle module. This adds value to their security suites and allows upselling to enterprise customers needing comprehensive credential management.
SaaS companies can offer OpenClaw Vault as part of developer security toolkits with premium features like historical tracking, team dashboards, and automated remediation. This creates recurring revenue through monthly subscriptions for development teams.
💬 Integration Tip
Set the OPENCLAW_WORKSPACE environment variable for automatic workspace detection, and schedule regular audit runs in CI/CD pipelines to catch credential exposure early.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
Perform a comprehensive read-only security audit of Clawdbot's own configuration. This is a knowledge-based skill that teaches Clawdbot to identify hardening opportunities across the system. Use when user asks to "run security check", "audit clawdbot", "check security hardening", or "what vulnerabilities does my Clawdbot have". This skill uses Clawdbot's internal capabilities and file system access to inspect configuration, detect misconfigurations, and recommend remediations. It is designed to be extensible - new checks can be added by updating this skill's knowledge.
Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.
Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data exfiltration, system modification attempts, backdoors, and obfuscation techniques.